SoylentNews is people
SoylentNews
from the back-to-the-postit-under-the-keyboard dept.
An Ars Technica article entitled "Pavlovian password management" aims to change sloppy habits. Policy would reward or penalize people based on the passwords they pick.
For more than a decade, the virtues of strong passwords have been lost on most end users, despite frequent sermons from security experts and IT administrators over their importance in locking down accounts. Now, a consultant is proposing a system that provides rewards or penalties based on the passcode choices people make. For instance, a user who picks test123@# might be required to change the password in three days under the system proposed by Lance James, the head of the cyber intelligence group at Deloitte & Touche. The three-day limit is based on calculations showing it would take about 4.5 days to find the password using offline cracking techniques. Had the same user chosen t3st123@##$x , the system wouldn't require a change for three months.
(Score: 3, Insightful) by LegendaryTeeth on Monday May 05 2014, @06:00PM
They are saying if someone stole the database of passwords, it would take 4.5 days to crack that password. So if you stealthily nabbed it, 4.5 days later you come back and successfully authenticate with the real account login interface on the first try. No chance for account lockouts.
(Score: 2) by JeanCroix on Monday May 05 2014, @06:20PM
(Score: 3, Interesting) by SuddenOutbreak on Monday May 05 2014, @06:28PM
Yes, this is pretty much it. I had a friend who was given an old laptop on leaving her old job. It was given with NO support and had multiple XP logins, only two of them having admin rights.
I downloaded "Ophcrack" onto a USB drive and turned it loose. In under one minute it had dug out the passwords which were simple words (mixed-case), and within two it had dug out an admin password of mixed-case plus numbers. One password had remained uncracked, but I had only downloaded the "smaller" 400MB table file. Had I gone for the 7.5GB table file, I could have gotten all of them.
The limiting speed factor (for the XP 'rainbow tables' crack, anyway) is how much fits in RAM.
(Score: 3, Insightful) by snick on Monday May 05 2014, @07:38PM
So .. instead of taking responsibility to protect the store of password hashes, security experts and IT administrators want to sneer at (l)users who can't remember askl;jfdls;kdjf;lskdjfl2kj423kl4j23klj4
Here's an idea: "security experts" should pull their heads out of their asses and come up with tools and practices to prevent offline attacks.
(Score: 1) by e_armadillo on Monday May 05 2014, @08:20PM
Yeah, that was what I was thinking. It seemed to me that it was *more* of a problem that the password database could be hijacked.
"How are we gonna get out of here?" ... "We'll dig our way out!" ... "No, no, dig UP stupid!"
(Score: 2, Informative) by SecurityGuy on Tuesday May 06 2014, @02:34AM
They're both problems. There have historically been vulnerabilities in systems that were not sufficient to give you a login, but were sufficient to get you the contents of files. Use that to get a copy of /etc/shadow or its equivalent and throw it at your favorite password cracker. There were/are also directory services like NIS that happily send password hashes unencrypted over the wire. A sniffer and some time is all you needed to get password hashes.
The bottom line is that by design or fault, password hashes get exposed. Making them hard to crack is just part of a reasonable defense in depth strategy. The problem is that passwords that are sufficiently hard to crack are becoming hard to remember because processing power has increased so much.
(Score: 1) by LegendaryTeeth on Tuesday May 06 2014, @03:05PM
It's not so much that as that your security is only as strong as the weakest link in the chain. It's the same reason you need to save your passwords as salted hashes and not just plaintext. Sure, you do what you can to prevent anyone from stealing the database, but you need mitigate the damage in case they do.